Open Source Security Responsibility Remains Undefined
June 6, 2013
Open source is enjoying increasing adoption in the enterprise, a realm where security has always been a top priority. However, it seems that when it comes to open source components, the enterprise has yet to determine a clear plan of action for ensuring and maintaining security. Network World explores the topic in the article, “Control and Security of Corporate Open-source Projects Proves Difficult.”
The article begins:
“Open source has become a staple for software development in the enterprise, but keeping track of it and maintaining security for it remains an elusive goal, according to a survey of more than 3,500 data architects and developers published today by Sonatype, which provides component lifecycle management products and also operates the Central Repository for downloading open-source software.”
An infographic goes on to show that responsibility for open source security falls across a wide variety of departments and job titles. But for organizations that are interested in implementing the best of open source without taking on the security risk, opting for a value-added solution instead of components is a better option. For instance, LucidWorks has made a name for themselves by offering a fully supported solution based on Apache Lucene and Solr. Best of all, LucidWorks is so trusted that others are incorporating the power of LucidWorks into their own offerings, in an attempt to ensure enterprise security standards.
Emily Rae Aldridge, June 6, 2013
Sponsored by ArnoldIT.com, developer of Beyond Search
Healthcare and Social Media: Complying with HIPAA and Avoiding Fines
June 1, 2013
On HIPPOmsg, the article Be Careful with Social Media and HIPAA Information Security seeks to warn healthcare professionals about the pitfalls of social media. HIPAA or Health Insurance Portability and Accountability Act requires stringent measures to protect the privacy of patients health information. Many doctors have professional pages, but even these are not the appropriate forum to give medial advice. The article explains why,
“With millions of people using social media day in and day out to communicate, there will no doubt be a time when a patient tries to ask for medical advice. Don’t give it!! Direct your patients to make an appointment. This allows you to see first-hand the situation and will take any speculation out of the equation. Also, social media is notorious for a lack of HIPAA security. Avoid sharing personal information to avoid HIPAA violations and fines or worse.”
The article also warns young doctors and med students to beware of sharing inappropriate “materials” that might damage their reputation and affect their career path later down the road. HIPPOmsg is offered as a secure way to text/email on a mobile device. But even with a professional page and a secure method of sharing information, doctors are not immune to wrongheaded behavior on their personal pages. At ArnoldIT you can learn about your digital footprint and how to minimize the risks associated with social media.
Chelsea Kerwin, June 01, 2013
If you are interested in gourmet food and spirits, read Gourmet De Ville.
Employee Rights Regarding Social Networks Passwords and Login Information
May 31, 2013
The article BYOD Policy: Employee Rights to Social Media Privacy is Paramount on PC Advisor, advises companies on the ideal way to approach social media privacy of its employees. BYOD (Bring Your Own Device) policies are now often legal documents with a privacy section outlining employee rights. Any attempt by an employer to access ISP’s or internet service providers can lead to a fine or imprisonment. The article explains,
“There is a legal precedent favoring employee rights: Pietrylov. Hillstone Restaurant Group in 2009, whereby a couple of employees created a MySpace page to complain to registered members about the company. Managers allegedly pressured one member, another employee, to give up her log-in ID and password to access the MySpace page. The two employees that created the MySpace page were outed and fired, yet the court upheld the jury’s verdict that Hillstone was liable for violations of the SCA.”
Janco Associates, a management-consulting firm, has a 14-page BYOD policy. But the underlying message is simple: the employer must not attempt to access the employees private social networks. Even requesting login information is dangerous because the burden falls on the employer to prove that they did not coerce the employee for the information. Being cautious and viewing employees private information as sacrosanct may be the easiest ways to avoid legal issues. To learn more about planning a safe and constructive social media strategy, visit ArnoldIT.
Chelsea Kerwin, May 31, 2013
If you are interested in gourmet food and spirits, read Gourmet De Ville.
Change Passwords and Administrative Statuses Before Firing Employees
May 31, 2013
The article Sacked HMV Employee, A Lesson In Social Media Security on Veronica Pullen is a cautionary tale for all business owners interested in social media. HMV, a music retailing company centered in London, learned the hard way that if you are going to fire a huge swath of staff, it might be best to take charge of the Twitter account beforehand. Fired employees began live-tweeting about the firings and badmouthing the company. The article discusses social media responsibility,
“Many business owners don’t know for sure exactly who has access to their Facebook and Twitter passwords, and if you don’t keep a tight rein on access info, you could be leaving yourself at risk too. One of the first things I do when I start working with a new client is to check who the administrators are for their Facebook Page, and who has access to Twitter.”
Even though HMV’s marketing staff eventually gained control back over the account later that day and erased the earlier posts, they didn’t count on a delighted audience taking screen shots of the inflammatory Tweets immediately after they were posted.
To avoid being put at the mercy of disgruntled employees, the article recommends paying close attention to social media account administrators and passwords. At ArnoldIT a staff of professional social media experts offer an abundance of information on implementing the right social media strategy for your business.
Chelsea Kerwin, May 31, 2013
If you are interested in gourmet food and spirits, read Gourmet De Ville.
Cloudera Falls Short in Big Data Security
May 31, 2013
Hadoop and its surrounding landscape are a big discussion point among not just the open source crowd, but also the entire discussion of enterprise data management. Cloudera is a leading contender for this interested in value-added solutions based on Hadoop. However, recent findings show that Cloudera is troubling some experts when it comes to security. Read more in the Cloud Tweaks article, “Cloudera Not Cutting It With Big Data Security.”
The article begins:
“Cloudera is, for the moment, a dominating presence in the open source Hadoop landscape; but does it have staying power? While Cloudera’s Big Data platform is the darling of the Hadoop space, they and their open source distribution competitors have so far failed to adequately address the elephant in the room: enterprise data security.”
When it comes to the enterprise, security failings cannot be easily overlooked. However, for those who are interested in harnessing the power of Hadoop, but maintaining the highest security standards, MapR recently launched a partnership with LucidWorks that does just that. MapR’s interest in LucidWorks was to bring powerful and secure analytics to Big Data through Hadoop. LucidWorks has a long record of industry trust and success, so enterprises can feel better about entrusting their data to a tested name in enterprise.
Emily Rae Aldridge, May 31, 2013
Sponsored by ArnoldIT.com, developer of Beyond Search
Richard Hickman Can Restore Deleted Snapchat Pictures For a Price
May 30, 2013
The article Some Jerk Has Figured Out a Way to Recover Your “Deleted” Snapchat Photos, on BetaBeat reports that a once safe space has now been made dangerous by a Utah security firm. By altering the extension on the deleted pictures (which are in reality just being stored, but cloaked with the affixed “.NOMEDIA” extension) Richard Hickman found the deleted pictures on an Android phone. Hickman said,
“Then it’s most likely put into unallocated space, where here it’s actually allocated,” Hickman said. “It’s not that it’s deleted — it just isn’t mapped anymore. It says okay, that spot where that picture was stored is now available to be overwritten. That’s what would happen with a regular camera.” He wants to further ruin your life–he’s working on a way to trace the sender’s information and developing the same recovery capability for iPhones.”
Adding to the bad news for Snapchat users, Hickman has begun to offer his ability to people for a small fee ($300-$500). As if your digital footprint isn’t hard enough to erase, now “erased” data might not be really gone. While this may be of immediate concern to some people (Snapchat “sexters”), it should make us all think of the possibilities. Maybe online data never truly goes away.
Chelsea Kerwin, May 30, 2013
Sponsored by ArnoldIT.com, developer of Augmentext
Open Source Security Remains Corporate Concern
May 24, 2013
When it comes to enterprise information technology concerns, security is usually at the top of the list. Some say that using open source software leaves an organization more susceptible to security risks, while others argue just the opposite. This very debate continues in the Java World article, “Survey: Control and Security of Corporate Open Source Projects Proves Difficult.”
The article hones in a particular component of the security issue, whether or not an organization utilizes an open source policy. Results were compiled through a survey:
“When the 3,500 survey respondents were asked what are the biggest challenges in their company’s open-source policy, the main reasons listed were ‘no enforcement,’ ‘it slows down development’ and ‘we find out about problems too late in the process.’ When asked who in the organization has primary responsibility for open-source policy and governance, 36 percent ascribed that role to ‘application-development management,’ 14 percent to ‘IT operations,’ 16 percent to legal, 13 percent to an open-source committee or department, 7 percent to security, 7 percent to risk and compliance and 7 percent to ‘other.’”
So of the organizations that do utilize an open source policy, many acknowledge little enforcement paltry oversight. These concerns are real. However, an organization may benefit from a compromise, a value-added open source software option. A solution like LucidWorks is fully packaged and supported; not just free-roaming bits of code to be grabbed from the free web. Users and managers can feel more confident in LucidWorks because it is packaged in a way that is easier for them to understand. Most importantly, LucidWorks has long-term industry support and positive track record.
Emily Rae Aldridge, May 24, 2013
Sponsored by ArnoldIT.com, developer of Beyond Search
Google Yourself to Learn About Your Digital Footprint and Avoid Security Breaches
May 22, 2013
The aptly titled article, Do a Google Search on Yourself Every Few Months to Find Out What Others Can Learn About You on SecurityFAQs, reminds us yet again of the time before the Google revolution, when encyclopedia’s were still a great gift and students knew and used the Dewey Decimal System. Today, if you aren’t careful, you can leave invaluable information about yourself for all to see and in some cases to use against you. The article explains,
“Some of the information that Google offers may be able to harm you. Google indexes other websites around the web including some of the websites that you might have visited at some point. If you left information about yourself on one of these websites then there is a good chance that Google might have indexed that information and it is available to the public. If someone was able to type in the right search they would be able to access that information.”
Googling yourself may seem like a vanity exercise but in fact it can help you understand your digital footprint and what information is out there for all the world to see. The article mentions black hat hackers several times, those who breach your computer security for no other reason than malice. ArnoldIT offers more information on digital footprints and the risks you might be exposing yourself to without being aware.
Chelsea Kerwin, May 22, 2013
If you are interested in gourmet food and spirits, read Gourmet De Ville.
Bloomberg and Alleged Two Way Systems
May 11, 2013
Just a small thing, the Bloomberg privacy breach allegations. There are far weightier matters in search; for example, are evaluations and ratings of search vendors objective? Someone on the LinkedIn Enterprise Search Engine Professional Group even raised the possibility that vendors “pay” for coverage in some consultants’ evaluations of technology.
Well, on to the smaller thing which is labeled this way in the New York Times: “Privacy Breach on Bloomberg’s Data Terminals.” You can located the story in the May 11, 2013, edition of the newspaper. If you look online at http://goo.gl/oeMqA you may be able to view the news story. (Google, no promises because I know how you want every blog post to have continuously updated links, but that’s another issue.)
The main idea seems to have originated with a real journalism operation called The New York Post. This point appears in paragraph six, so it is definitely a subordinate point.
As I understand the allegation, Bloomberg tradition terminals had a function which allowed “journalists to monitor subscribers were promptly disabled.” I think that Bloomberg terminals generate some sort of report which allegedly allowed a journalist to determine if someone had used the terminal. The idea is that no use of a terminal suggests that the person has either moved on, lost his or her hands, or experienced an opportunity to find his / her future elsewhere.
How secure are secure systems. Image source: Sandia.gov at http://goo.gl/NaEBE. Modern methods for accessing digital information are difficult to depict. Paper is tangible. Digital data are just “out there.” Humans assume that if it cannot be seen, the problems associated with what’s “out there” are no big deal. Is this an informed viewpoint?
The Atlantic Wire covered the alleged breach in a story called “Why Billions Are at Stake in the Bloomberg Terminal Privacy Problem.” What I found interesting was that the Atlantic Wire pointed out that the breach allegedly allowed a journalist to determine the “news habits” of Bloomberg terminal users. Is this similar to the type of information which online services extract from users’ Web search histories?
They Are Appearing on IP Radar
May 11, 2013
Being out at sea is isolating and requires a person with a certain personality capable of handling that mindset, but ARS Technica points to something interesting that may shave off some of that feeling, “Good Morning, Captain: Open Ports Let Anyone Track Ships On Internet.” It is not surprising that everything is connected to the Internet and Rapid7 Lab researchers discovered during a census of the entire Internet that there was a lot of data from ships’ Automated Identification System receivers. The receivers allow people to track ships’ movements and are placed on ships, buoys, and other navigation markers. They are used to prevent collisions, the H2O equivalent of air traffic controllers. When the researchers discovered the data, within two hours they collected more than two gigabytes on ships, including military and law enforcement.
Before you ask the question, yes it does post a security risk, because everything from safety messages to casual greetings were picked up. The alarming factor is what type of ships they came from.
“As the Rapid7 report points out (and as numerous readers have pointed out as well) the data from AIS is openly published via AIS itself and a number of websites in any case. The data is public by nature—otherwise it wouldn’t be effective in preventing collisions at sea. But the information collected from the AIS system itself is a vulnerable asset—the US Coast Guard counts on AIS in combination with other, secure data sources as part of its Nationwide AIS, a maritime security system.”
Attackers could spoof the data and feed misinformation to cause terror and panic. The weakness has been noted and someone is on the case, per usual. The main question is when?
Whitney Grace, May 11, 2013
Sponsored by ArnoldIT.com, developer of Beyond Search
-
- Subscribe to Beyond Search
Feature archive
News archive
-
